“Automation solutions as they stand today act as support structures for the gatekeepers, like firewalls, and do little to enhance the security at the core.”
Enterprises handling card data are perennially in a state of fear regarding card data exposure. There is a rise in security breaches exposing millions to fraud, even from large multinational corporations with highly secure enclaves like the restaurant chain Chipotle or the UK Insurance firm AA.
Incidents like these have put CIOs and CISOs in every enterprise on alert. A breach could lead to millions of dollars in financial losses (like the $18m in a settlement paid by the retail chain Target) and huge reputational damage to those firms.
To aid the industry in securing card data, the PCI DSS (Payment Card Industry Data Security Standards) standards were established in 2004, and it has seen wide adoption across the world in the last few years.
A non-compliant enterprise could face the loss of reputation, civil litigation and heavy fines. Compliance requires that the sensitive authentication data is not stored and the cardholder data is securely stored. It also mandates that this data is securely transmitted to the various components in the system.
It defines over 200 requirements that every firm dealing with card data is expected to adhere to. These requirements include firewalls, encryption, secure transmissions, access controls, logging, monitoring and more.
A typical enterprise infrastructure in a large company could have hundreds of servers and applications, including firewalls, routers, border devices, proxies, session managers, load balancers, application servers, databases, recorders, interactive voice response systems, custom business applications and much more.
These components are located across the world, in various configurations and communicating with each other all the time.
Ensuring all the PCI DSS requirements are enforced 100% of the time, can only be achieved through significant automation.
Need for Next-gen Automation
Automation solutions as they stand today act as support structures for the gatekeepers, like firewalls, and do little to enhance the security at the core. A typical enterprise infrastructure can be visualized as a layered setup with firewalls being at the outer edge and enterprise applications at the core.
The layers in between are populated with elements like web servers, session border controllers, hypervisors, operating systems and proxies.
Current automation systems are focused on the outer layers and look to ensure the configuration and the behaviour of the firewalls and web servers. They also look to scan for various security mechanisms and virus/malware at the operating system levels.
These are important aspects to securing critical card data in the enterprise, and enforcing PCI DSS requirements. But, they are inadequate.
Breach of perimeter security is an inevitability with time, and while it can be made tougher and response times can be improved, it can’t be completely eliminated.
Ensuring security of critical data at the core is just as important, and this is recognized by the PCI DSS standards as a significant portion of the requirements focus of this.
Next-gen automation systems that can ensure the configurations, encryptions and secure communications, within the enterprise application and the databases at the core are needed to ensure in-depth security for the card data, its storage and usage.
These systems will need to be able to understand the applications they are monitoring and verify both the configurations and the behaviour.
They would need to ensure that not only are the databases encrypted, but the applications store encrypted data in the database too, thus ensuring that exposure of the database will not lead to exposure of critical data.
These automation systems will need to understand not just applications but solutions too, as the specifics of interactions between various applications is crucial to enforcing security.
Image Source: aristilabs.com
Securing Card Data through PCI DSS — In Need of Next-Gen Automation? was originally published in Assertion on Medium, where people are continuing the conversation by highlighting and responding to this story.